io_uring/zcrx: fix null ifq on area destruction

Dan reports that ifq can be null when infering arguments for
io_unaccount_mem() from io_zcrx_free_area(). Fix it by always setting a
correct ifq.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202507180628.gBxrOgqr-lkp@intel.com/
Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/20670d163bb90dba2a81a4150f1125603cefb101.1753091564.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index dabce3ee0e8b7c6e7a1cc9222bf4c5931b499190..6b4bdefb40c465b07f96c8df537f09d97c5be1eb 100644 (file)
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -377,8 +377,7 @@ static void io_free_rbuf_ring(struct io_zcrx_ifq *ifq)
 
 static void io_zcrx_free_area(struct io_zcrx_area *area)
 {
-       if (area->ifq)
-               io_zcrx_unmap_area(area->ifq, area);
+       io_zcrx_unmap_area(area->ifq, area);
        io_release_area_mem(&area->mem);
 
        if (area->mem.account_pages)
@@ -411,6 +410,7 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,
        area = kzalloc(sizeof(*area), GFP_KERNEL);
        if (!area)
                goto err;
+       area->ifq = ifq;
 
        ret = io_import_area(ifq, &area->mem, area_reg);
        if (ret)
@@ -445,7 +445,6 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,
        }
 
        area->free_count = nr_iovs;
-       area->ifq = ifq;
        /* we're only supporting one area per ifq for now */
        area->area_id = 0;
        area_reg->rq_area_token = (u64)area->area_id << IORING_ZCRX_AREA_SHIFT;